Before updating PoolFeePercentage, rewards should be distributed
Summary
The liquidationPoolManager() should distributeFees () before updating the poolFeePercentage.
Vulnerability Details
The owner of the LiquidationPoolManager contract has the ability to change the poolFeePercentage.
https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/LiquidationPoolManager.sol#L84-L86
The rewards distributed to stakers in the LiquidationPool exhibit a positive correlation with the poolFeePercentage parameter. A higher value for this parameter results in more substantial rewards being allocated to stakers, while a lower value corresponds to a reduction in the rewards distributed to stakers.
https://github.com/Cyfrin/2023-12-the-standard/blob/91132936cb09ef9bf82f38ab1106346e2ad60f91/contracts/LiquidationPoolManager.sol#L35
This is why before updating this number rewards should be distributed at the current rate of poolFeePercentage. And rewards accrued after the update will be under the new poolFeePercentage`.
Impact
This vulnerability has a medium impact has the poolFeePercentage should only apply to the rewards accrued after its change.
Tools Used
Manual review
Recommendations
Before changing the poolFeePercentage distribute rewards.
Lead Judging Commences
informational/invalid
informational/invalid
Prize pool breakdown
Live
The contest is live. Earn rewards by submitting a finding.
Appeals
This is your time to appeal against judgements on your submissions.
Appeals Review
Appeals are being carefully reviewed by our judges.